Description of problem: I tried to start a VM from gnome-boxes running in a VM. No nested kvm so it started it emulating the CPU, and this gave this error Additional info: libreport version: 2.0.14 kernel: 3.6.0-0.rc6.git0.2.fc18.i686.PAE description: :SELinux is preventing qemu-system-i38 from using the 'execmem' accesses on a process. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that qemu-system-i38 should be allowed execmem access on processes labeled svirt_t by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep qemu-system-i38 /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:svirt_t:s0:c68,c970 :Target Context unconfined_u:unconfined_r:svirt_t:s0:c68,c970 :Target Objects [ process ] :Source qemu-system-i38 :Source Path qemu-system-i38 :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.11.1-25.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.0-0.rc6.git0.2.fc18.i686.PAE : #1 SMP Mon Sep 17 17:28:04 UTC 2012 i686 i686 :Alert Count 1 :First Seen 2012-10-02 16:35:06 CEST :Last Seen 2012-10-02 16:35:06 CEST :Local ID 5842b06c-cdae-4d3a-9673-40187dcb9565 : :Raw Audit Messages :type=AVC msg=audit(1349188506.231:407): avc: denied { execmem } for pid=5166 comm="qemu-system-i38" scontext=unconfined_u:unconfined_r:svirt_t:s0:c68,c970 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c68,c970 tclass=process : : :Hash: qemu-system-i38,svirt_t,svirt_t,process,execmem : :audit2allow : :#============= svirt_t ============== :#!!!! This avc can be allowed using the boolean 'virt_use_execmem' : :allow svirt_t self:process execmem; : :audit2allow -R : :#============= svirt_t ============== :#!!!! This avc can be allowed using the boolean 'virt_use_execmem' : :allow svirt_t self:process execmem; :
Created attachment 620391 [details] File: type
Created attachment 620392 [details] File: hashmarkername
:#============= svirt_t ============== :#!!!! This avc can be allowed using the boolean 'virt_use_execmem'
(In reply to comment #3) > :#============= svirt_t ============== > :#!!!! This avc can be allowed using the boolean 'virt_use_execmem' Doesn't this mean that non-kvm qemus are broken out of the box, and that this is done on purpose? This does not sound great from a user point of view...
Since 3.5.4 Boxes allows to create QEMU VMs without KVM capabilities: http://ftp.acc.umu.se/pub/GNOME/sources/gnome-boxes/3.5/gnome-boxes-3.5.4.news
Well open this up for discussion on the virt list. I don't care either way. Allowing virt to use execmem, makes it more susceptable to buffer overflow attacks. I guess we could have libvirt set the boolean when running a qemu process without kvm or select a different svirt label svirt_nokvm_t.
I would go for having a separate svirt label for non-KVM based QEMU.
Ok I just checked changes into F18 policy to support to types svirt_t, and svirt_nokvm_t, only difference is execmem, and execstack for svirt_nokvm_t. Context file has changed to include two labels. cat virtual_domain_context system_u:system_r:svirt_t:s0 system_u:system_r:svirt_nokvm_t:s0 Now libvirt needs to change to be able to use the alternate label.
I was trying to create a virtual machine in Boxes. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Jiri just turn on the boolean.
*** This bug has been marked as a duplicate of bug 885837 ***